49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363

Analysis

max time kernel
11s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:45

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T21:45:56Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_4-dirty.qcow2\"}"

Report Analysis Logs

General

Target

49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe
Size

242KB
MD5

31f1a2124047ccabc166e0b3f8893fc6
SHA1

f6e0cbb73524093f86745bf8fefe4cf1fc8bc421
SHA256

49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363
SHA512

1e69325ee1cc15918f5976884bacc2361e532661b9a25bb4959b672b4f1530babea3cb8e760a05ad20c41488fef36cfb9b1dfa33d1cfd66fb952f5c069d5302e
SSDEEP

1536:VIQmyK7wWjGhszjuAJN5Z4Dz2o7bJt2LuZVfsrkaVUImZLAiiwfsrkaV1fsrkaVt:VM7wWlTNTNqQgV6V8ZLB6V16VKcWmjR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe

Executes dropped EXE 64 IoCs

pid	Process
3376	Doccaall.exe
1408	Denlnk32.exe
3900	Dhlhjf32.exe
4680	Dpcpkc32.exe
3168	Dcalgo32.exe
2936	Djlddi32.exe
4004	Dcdimopp.exe
4220	Dphifcoi.exe
1264	Daifnk32.exe
4516	Dhcnke32.exe
992	Dakbckbe.exe
2976	Elagacbk.exe
2436	Epmcab32.exe
5044	Ebnoikqb.exe
4432	Eoapbo32.exe
3880	Ejgdpg32.exe
2744	Ecphimfb.exe
3244	Efneehef.exe
5020	Ehlaaddj.exe
3864	Eofinnkf.exe
2948	Ebeejijj.exe
3340	Emjjgbjp.exe
2904	Fbgbpihg.exe
3116	Fqhbmqqg.exe
1316	Fcgoilpj.exe
3084	Ffekegon.exe
1876	Fbllkh32.exe
4064	Fjcclf32.exe
3176	Fqmlhpla.exe
4476	Fckhdk32.exe
432	Ffjdqg32.exe
2836	Fqohnp32.exe
1720	Fflaff32.exe
2124	Fijmbb32.exe
4776	Fodeolof.exe
1632	Gbcakg32.exe
2404	Gjjjle32.exe
512	Gcbnejem.exe
2160	Gfqjafdq.exe
752	Giofnacd.exe
3992	Gqfooodg.exe
3612	Gcekkjcj.exe
2228	Giacca32.exe
2528	Gqikdn32.exe
3908	Gbjhlfhb.exe
1592	Gmoliohh.exe
2784	Gpnhekgl.exe
2864	Gfhqbe32.exe
3476	Gmaioo32.exe
2116	Hclakimb.exe
1928	Hboagf32.exe
808	Hjfihc32.exe
4236	Hapaemll.exe
2216	Hbanme32.exe
2260	Hjhfnccl.exe
4692	Hpenfjad.exe
2300	Hfofbd32.exe
3596	Hadkpm32.exe
4860	Hccglh32.exe
3020	Hfachc32.exe
1356	Hippdo32.exe
3036	Hcedaheh.exe
4324	Hibljoco.exe
3436	Haidklda.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ejgdpg32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Klfbpcko.dll	Ecphimfb.exe
File opened for modification	C:\Windows\SysWOW64\Ebnoikqb.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Denlnk32.exe	Doccaall.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ockmjg32.dll	Daifnk32.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Elagacbk.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Epmcab32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Daifnk32.exe	Dphifcoi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7076	6908	WerFault.exe	263

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkede32.dll"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamagp32.dll"	49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkindkmi.dll"	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehocmdp.dll"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkokhc32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 3376	528	49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe	85
PID 528 wrote to memory of 3376	528	49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe	85
PID 528 wrote to memory of 3376	528	49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe	85
PID 3376 wrote to memory of 1408	3376	Doccaall.exe	86
PID 3376 wrote to memory of 1408	3376	Doccaall.exe	86
PID 3376 wrote to memory of 1408	3376	Doccaall.exe	86
PID 1408 wrote to memory of 3900	1408	Denlnk32.exe	87
PID 1408 wrote to memory of 3900	1408	Denlnk32.exe	87
PID 1408 wrote to memory of 3900	1408	Denlnk32.exe	87
PID 3900 wrote to memory of 4680	3900	Dhlhjf32.exe	88
PID 3900 wrote to memory of 4680	3900	Dhlhjf32.exe	88
PID 3900 wrote to memory of 4680	3900	Dhlhjf32.exe	88
PID 4680 wrote to memory of 3168	4680	Dpcpkc32.exe	89
PID 4680 wrote to memory of 3168	4680	Dpcpkc32.exe	89
PID 4680 wrote to memory of 3168	4680	Dpcpkc32.exe	89
PID 3168 wrote to memory of 2936	3168	Dcalgo32.exe	90
PID 3168 wrote to memory of 2936	3168	Dcalgo32.exe	90
PID 3168 wrote to memory of 2936	3168	Dcalgo32.exe	90
PID 2936 wrote to memory of 4004	2936	Djlddi32.exe	91
PID 2936 wrote to memory of 4004	2936	Djlddi32.exe	91
PID 2936 wrote to memory of 4004	2936	Djlddi32.exe	91
PID 4004 wrote to memory of 4220	4004	Dcdimopp.exe	92
PID 4004 wrote to memory of 4220	4004	Dcdimopp.exe	92
PID 4004 wrote to memory of 4220	4004	Dcdimopp.exe	92
PID 4220 wrote to memory of 1264	4220	Dphifcoi.exe	93
PID 4220 wrote to memory of 1264	4220	Dphifcoi.exe	93
PID 4220 wrote to memory of 1264	4220	Dphifcoi.exe	93
PID 1264 wrote to memory of 4516	1264	Daifnk32.exe	94
PID 1264 wrote to memory of 4516	1264	Daifnk32.exe	94
PID 1264 wrote to memory of 4516	1264	Daifnk32.exe	94
PID 4516 wrote to memory of 992	4516	Dhcnke32.exe	95
PID 4516 wrote to memory of 992	4516	Dhcnke32.exe	95
PID 4516 wrote to memory of 992	4516	Dhcnke32.exe	95
PID 992 wrote to memory of 2976	992	Dakbckbe.exe	96
PID 992 wrote to memory of 2976	992	Dakbckbe.exe	96
PID 992 wrote to memory of 2976	992	Dakbckbe.exe	96
PID 2976 wrote to memory of 2436	2976	Elagacbk.exe	97
PID 2976 wrote to memory of 2436	2976	Elagacbk.exe	97
PID 2976 wrote to memory of 2436	2976	Elagacbk.exe	97
PID 2436 wrote to memory of 5044	2436	Epmcab32.exe	98
PID 2436 wrote to memory of 5044	2436	Epmcab32.exe	98
PID 2436 wrote to memory of 5044	2436	Epmcab32.exe	98
PID 5044 wrote to memory of 4432	5044	Ebnoikqb.exe	99
PID 5044 wrote to memory of 4432	5044	Ebnoikqb.exe	99
PID 5044 wrote to memory of 4432	5044	Ebnoikqb.exe	99
PID 4432 wrote to memory of 3880	4432	Eoapbo32.exe	100
PID 4432 wrote to memory of 3880	4432	Eoapbo32.exe	100
PID 4432 wrote to memory of 3880	4432	Eoapbo32.exe	100
PID 3880 wrote to memory of 2744	3880	Ejgdpg32.exe	101
PID 3880 wrote to memory of 2744	3880	Ejgdpg32.exe	101
PID 3880 wrote to memory of 2744	3880	Ejgdpg32.exe	101
PID 2744 wrote to memory of 3244	2744	Ecphimfb.exe	102
PID 2744 wrote to memory of 3244	2744	Ecphimfb.exe	102
PID 2744 wrote to memory of 3244	2744	Ecphimfb.exe	102
PID 3244 wrote to memory of 5020	3244	Efneehef.exe	103
PID 3244 wrote to memory of 5020	3244	Efneehef.exe	103
PID 3244 wrote to memory of 5020	3244	Efneehef.exe	103
PID 5020 wrote to memory of 3864	5020	Ehlaaddj.exe	104
PID 5020 wrote to memory of 3864	5020	Ehlaaddj.exe	104
PID 5020 wrote to memory of 3864	5020	Ehlaaddj.exe	104
PID 3864 wrote to memory of 2948	3864	Eofinnkf.exe	105
PID 3864 wrote to memory of 2948	3864	Eofinnkf.exe	105
PID 3864 wrote to memory of 2948	3864	Eofinnkf.exe	105
PID 2948 wrote to memory of 3340	2948	Ebeejijj.exe	107

C:\Users\Admin\AppData\Local\Temp\49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe
"C:\Users\Admin\AppData\Local\Temp\49adcbe0edf827d6c8871ace031b694f02d39f48848f9f468d1d3f13c7a80363.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\Doccaall.exe
  C:\Windows\system32\Doccaall.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Denlnk32.exe
    C:\Windows\system32\Denlnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\Dhlhjf32.exe
      C:\Windows\system32\Dhlhjf32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        23⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        24⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        25⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        28⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        40⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        41⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        42⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        43⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        50⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        62⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        67⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1548
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        69⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1052
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        72⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        73⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        74⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        76⤵
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        80⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        84⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        86⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        91⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        94⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        99⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        102⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        106⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        108⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        109⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        113⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        116⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        119⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        120⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        123⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        125⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        126⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        127⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        128⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        129⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        130⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        131⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        132⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        133⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        134⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        135⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        136⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        137⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        138⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        139⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        140⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        141⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        142⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        143⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        144⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        145⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        146⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        147⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        148⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        149⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        150⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        151⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        152⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        153⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        154⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        155⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        156⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        157⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        158⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        159⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        160⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        161⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        162⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        163⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        164⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        165⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        166⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        167⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        168⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        169⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        170⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        171⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        172⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        173⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        174⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 400
        175⤵
        Program crash
        
        PID:7076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6908 -ip 6908
1⤵
PID:7020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
242KB

MD5
2536dc2445783e80c7e7a6da917c4fc2

SHA1
efe3b8c4af7bb67cb3386ead33e62a1209b15e5c

SHA256
322bc2fd1cbcf97ae5c3ec04c49a2929695a8927ecfc57c97c86728b785d90c9

SHA512
6071e21c9de60e8a6765c195442aeab01458573084df47552917fd3d25721d2bf95bf25a1c092ca9b7f7a09122899d67367a32e3a23e118775f3a5efa5f4d3e6

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
242KB

MD5
6861001c134ad46f4587913247336d62

SHA1
6eeb83321c8b1e732f393d1799060d663c39b666

SHA256
c1066a0f86c2459f9e943ff2565f12b06081f54cb7af1c8c36f719bfdfec12ff

SHA512
88629ec5f03214f0c19c611ac724744a7e19538b8948683b616f57876423b0068a4d40768cbef99771958e6aa25803d04a0a25b3b420ce745b0a286d70a42a70

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
242KB

MD5
41c77c74634e4611b037b17d9cf03e79

SHA1
cb536c2c041df98f13566369660aeb71af58ffef

SHA256
604b6768a1b6387f5c76e47598a34d00b5f3d5c3595af929ae83471432ee5e35

SHA512
8768869358d736fed40e84b888478259c10cce68fe679964d4188de06b5aeac6f4a65e39143ae143952e08772b0289dd9228f65f1ed477576e132d87f84c064e

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
242KB

MD5
ea6d821133a5657aeb7caa079c90fced

SHA1
0491db95e0d249e44cd3a79cf1f2f3164bcd2fbc

SHA256
322df6a0a1fffcf3885c1f4c17cd0b37a47cbb49287b99e86531818c1fdb9c95

SHA512
4a30f94de128dad37d45088c00cdc5d7d607a0942b296f97a04a8e1734e20f48f8234cdaad682f312af4786544e9dda2e77d2ba0421a12fd4ede804724b28910

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
242KB

MD5
17868ccca5a8008a9cc7d27ac84a378b

SHA1
eb74038b8bc8ae7f51ce1c9078597110127a34f9

SHA256
f92ccee5b8c17bb4ee880ccddf2f42081b2c9ef1c3c8707fb15cd5e06f98d475

SHA512
f74150a0af40394e37f8ba43f6dbfa3a395c68bbc9808d37f87fc2625aeb61adca70bb28190ee73fa1755ba48645f922fcb68181a1a27ae6cd67da40b91ae512

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
242KB

MD5
5070714161a511e132604d5498648590

SHA1
28495ee831817188c2ab99552ce3b1f886655469

SHA256
ff950f0a3766aade7675295eb1367a85dbd1edaca56fe5a72a88cae8e50697f6

SHA512
3dcf939c1589bc234d062c591a5841cd763260d5ddc547875422e9063dd6133fc693d92f03caeec056ca672c62af74d9212afedbd82283559bb4116d9a367ffb

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
242KB

MD5
15fb89b79034a5b5684dc18f8e94212e

SHA1
4344193b6caf139c3a0104fd5457b2658a5a8899

SHA256
2507a702049010d7da03d44cac4f4d58a3189d52fa2d6bbe216264ca4a20da32

SHA512
1cd6e3d2d883c8f4a518535f362f27c774a00d906876f3cda50f67106401af4dd0db926321ac0d5ec92704b25730faa1856aa3b0d7fc8eabb342aebef94c5ea7

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
242KB

MD5
210d22f01c7f58aee79171c1991db9cf

SHA1
5f046138b0b98ef23cc44d3f3aab3ddf9d6097d6

SHA256
7d20fd58caa2d7a03397c000f6b3e1f8cb062c63302414b94bdc3bec217e791f

SHA512
edd53bd8cacd5d0927d777e61a75ab727f4eacae9bc9ee8411a8776a2640b351e770474a52f659687b978f6e2c806319e6735b6cd51dc8aa5a89478126005c03

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
242KB

MD5
676a80cb3cfd9f2501ac9f6a8c678c18

SHA1
4f80c1844c54c0fbd3c74651fd513026f460897e

SHA256
9eff823761a31fb5231d5db973e7683cc6beb9ebf84ae735880051be5881a69c

SHA512
beae6427a96ef0dcb7fbd8e07f855e886861bd69e463bc6450d8d12a67c9b4e9e716b08f30197ab38899fa66368d2fac892c1c290249f192ae025fd6f0cdcd98

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
242KB

MD5
10f3d3e0953c7e3dbd4f8dc97508e566

SHA1
2fe860dbab673c6df59ca8a10768d13052d4a093

SHA256
b05a6eb88f08c3413e595ebbbecbdcbd3fb3205176da031e6cb8682107386662

SHA512
6b25af5146a24b861c4604c357981fec123bbe43789b85d3b86f4a606b46ff191a58b9825ffa737cda3a2512b012a552618a1dcaac1fc974b71b4c8bcf009b75

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
242KB

MD5
a5cc739112d7be33c7d1819be93876e2

SHA1
62d857e1fa3cc545a4f4b7e0bfc57eb1cb8aeeab

SHA256
d95a1616cfb8dd4c2ba524c8907eaf0c7e57bd0a6b0a80c550538c260b94bf0e

SHA512
c4b86aeb9bc1ee49f2e5ce69ac41eb02fb63b180d362c43d8aac7691ac093ff3ed829b2967a0ed24e452143dd13fce877a38de45d19aee772ea0b193c9f59d24

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
242KB

MD5
ef0cf1d2b3e31108ed48c9b3749a6ce6

SHA1
591415d8185ddf621c625bc03db03a5a61a5ea9d

SHA256
dfb6a3d3f283d721a68faa6bbd4c00a6a10c885cc1bd432365e8b3a149652622

SHA512
19041f2ed76acb7ece98b7c09abefe2e22bdcdd76808523dfce86432ebf746f895e76bd18dcb174db8e50bdc6fe9602b4ee27f7a663a1209539e905c835ef764

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
242KB

MD5
0e7697c507689c415af33dec2f411d08

SHA1
0dfcfcdf64da66436d5ae493503f20fcf513a042

SHA256
68dde89ef7f12b91827c7c52b748683cee42cc5d753b53e2f5b96cad5178d175

SHA512
55f08503390edff07a42d7621b4f5e444be012410c1224827bdd2bbec84bcda25a84154254e756c52bcdb75b732d8eed763b82e218211aae1758ae926a1d95b6

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
242KB

MD5
cf650bffe5961b35059bbc5f651ea781

SHA1
d773ed3e2fe619a0232e679d5bd74abd1db80945

SHA256
7930cba311f8e8939115a349c00e545cb3c46244f9f126acf6be0fc07d98076c

SHA512
0ec1e4435589a1fda0ad221729a247d062ca23db4359748ab503082c5079b9eac6c4c709ea19b76b540aa8be0b261339b9d6d21a1611f958a0d29a3782b24538

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
242KB

MD5
e59faa1c77b0a7997cfe762d70fb83b2

SHA1
a6e64bfd86544a120f554068d087c580c2b3b8ec

SHA256
69f0698b7c841ab2e1b778769311b7898e59e09230c0e63a5555fb066a6c710d

SHA512
733b2135d238df8ea80dd869b22abd10f33bb4ed859adae944febfb797b6e4694f11e59c2022c4539ecd6308b62ba4722a4cf9d43b3380845652ccbf52a7ae72

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
242KB

MD5
c4b5ebe2704a5d66b1654a1cadeb895d

SHA1
0fda853ef94c562c53372546c9de7cc9cd20b2fb

SHA256
55660b70917c68baea35564c67ec0f491409d3bd38b9725f0e8c77df5d0fbe71

SHA512
790b8b8091bc74c2ddb52ca0ae909eedced91d4cb078bcf497f34e024539f46f190f3f168fd7aab03228b129c11b9502f7a39f25de8ce693ae9141bd16f08c9c

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
242KB

MD5
c94f41322203b08df39b2eb4051240d4

SHA1
55974ade7fe09eff210e654f9294d532be9a7675

SHA256
3dc8eb8d78320ee943a21a43f6ecd182a6e2451c6b55cfbfdb71fe5a4390dc1a

SHA512
f88d440f823af72c4f96642227738b86aa05bd44315b746280a966394802dc141f431beef589f470a607107f41fff8334ac9682156435cd721571fea3dd58bb3

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
242KB

MD5
2642d49ab4a6ddbb4a7fc217580c24da

SHA1
2269dc26ece41062ff2e8f7b43e6e146ddef1e7e

SHA256
e6afc4c7b192c7b4948b53187b1d3db540d7c89de1978ff4cd88265d1bdc6331

SHA512
c8924e7c5e78295334cdde24be04e2bd636582e730f513fd55f015c3cae403f03cc6ea8aa6cc0acc9945f66c36a8df275973b66200c400911d2779611d313c50

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
242KB

MD5
84c3b6b12e5b8248aa4dac21cebf0780

SHA1
5b98f9dc1a4fc6a81a5bb1ad7923debe50297685

SHA256
5ee8d2a71b02d70b0ba874289cc329fe99b1a5d9a9d3dcd23463827385dfddb8

SHA512
f87943d65511243f2432695ae0482aa8f3ada6f2d0215dcaab1ff9d99f5efa9a5bc2f244e1ab65b709207161f0ddf906053d6d803d4819243d78afdfb3c438a1

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
242KB

MD5
676a5e64f2b0eeeae2eb39b471977470

SHA1
73e8c5c555703b0c6bb28b7b1230e456f360e4f2

SHA256
cedb49fef0c97d12857ef9d54b7876362ade205a199a0e01d6e96f75140dc5c5

SHA512
972a80ee8f937d16a7a4716290ee8ca4835e6704cbf7be4e055ff77b1225f752d51efa4a7e8504781c8367e475ebbda448e8a93c86a084e2a3057d798a090a28

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
242KB

MD5
fe87f10ec89840f76a1bd728e7b03bd4

SHA1
8d1f061dc022ff114ff98d14ca43f3eed5273713

SHA256
dfb0ff7ae05253aba9cafb35d3c15ec63790838530830500a70b81bd2d7b5ec4

SHA512
9ae96d511913da53c2f6723429e5b08bb2ec7eab2f342cc94961f6d1380cb27a3fcf2c746d748cc36d555f7f215a00c8f8a324d0d9caaaa8828e8648679f2f8e

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
242KB

MD5
4291ac595125b2f8eed6e258a277475d

SHA1
c73f0220f99a41addb635d22c14cc2e2b06235dd

SHA256
ff098498842912de97ec048cb7884fe6d38bd5dbfefa0f54f8208427bb639445

SHA512
e11dcb1d03159bcebced4011ffe6ea5a2d367f6c13ce586b8d6e823f373e99fbeff2d2fa5742fe6c06cd6802352195c262774910a7e6e947083fafe2da06edc5

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
242KB

MD5
5d0a9efbda6822876211079a579c2fac

SHA1
fb4a9e874950eb07190ae3a3fa41dd7865b3cd2f

SHA256
ec271bf429bcf0f2262f76506bd7944fe1a422906141320d0658f1ee7f2cc3db

SHA512
d343f97cae09ab1e4d6b7bf04ea128a8c6d1456d8a3bfd6e8c6f045957a5629cfacb6c6675cef377ec555ee9a0d5d59f7d7c806c580ca14ee416f6dfb7a94018

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
242KB

MD5
7b4adaac537fef7a1ab5510f61de140d

SHA1
872465e0fa5fce9ba1deaa3eefc9cc9127c4f798

SHA256
ead51afc1d79751781c58c7e85340818356a7b8fece030db10ab6b8032350581

SHA512
bb76651043e9d6596c3fee953db1a26632335c993b9dadefdb559b74c384cfc89d3be6f43e262fa90c9e6e07201874efbcd315a76da8ddaaf593918128c1123a

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
242KB

MD5
f17a40d16c869ed3f770367d90ee3139

SHA1
409fb70fcd7262667faf96f6ff4dcea778f9afd6

SHA256
74bc4477ba92f60d7e1143f724e54c7482ce2d784115455b9632c7adf0477e6d

SHA512
e2e5dab268b56b16a0d354de97f2fa17f2ef172efa044f0133964fc29ae8f137d38384d1f63ea7d7cd6518315a60fcf794540cc68992020fc1b54d9bfe2b0f5a

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
242KB

MD5
63ab18439e33e589860dac1be1419cda

SHA1
50cae36b20a65e4d6dcf87713e6ca32b0823c640

SHA256
ee2b0f5847f2bc3e34f9a98a6becc7ca46793f1b8183d52d2722821718179c2b

SHA512
98830e284ae555da1a9b6509531fd0913b456a2066314f972125f35c2536d91181b4a0bbc404a0d970ca8f66e0d2056907cf39ec1f38e56b06ee202da2034ed7

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
242KB

MD5
2faf98289b48f8c32102323d030e6ef3

SHA1
34d96960a0ebf2e3c7c65495e3e198b792302b2f

SHA256
78808fa31720f10090aec66c0f8d8eecbda208ff78f41218db1ee76403377ffb

SHA512
c6e0e4a37f8f362307a38c3e9dfb5e4fb998940a067fcfd7b7331b57c411d6decd11750719609f2f3b0aa392786d5822b18ec4e522ee9fe22851ae167d5514a4

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
242KB

MD5
e6650609f8509a47f5ae17ec99942ba4

SHA1
b69f21422741ee8efac5a18bd3c5a1265b910803

SHA256
6326db25cad7212a8657e3311ef3e14c36828838491226f7a750fe329dd38b2d

SHA512
b2542d3f22e3deea92882def29f7267303dd360945edf3fd4c97d976f38c0f90f984aa7123f9e40e6ad489675b4ef8515415f1f9aa92c9563a645084f64ef968

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
242KB

MD5
faef3b421fce1043e7a5b8b29325281b

SHA1
cf8e4a2c9428e559a97948395aa87a683abcdfce

SHA256
75bcb659d7f019eb47e2f10f0bd995d900aad3b8f3450d978d50a14056b851d8

SHA512
da7e5b377bc8d657fd21fef96a69af59a91d424f7524e06ade562718047228ad37a38d1815160cfa7610a37f56b3a8e76aa833ebf632e2504668970886751465

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
242KB

MD5
b177797d55c56343d1bfa7e9de7f5ff1

SHA1
8b97b7779e18a607b49263c4de1601a28b7f2ed3

SHA256
5933c66b1b2b1ed4f6ea5696fdb672e6684a0c884f75deeae25df24f6558d704

SHA512
5002f1b9e0919d8d730cee936fc979cfdcef78f008e5a65f63b574408a7b209768cc8153f80f0606027de27e1d002b8614775517793cf9ca0f1b63fa477cf57a

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
242KB

MD5
4fb5512ae7d921fabe7cb8e72b126645

SHA1
cc8952b8ac53beceec1542dd72d88c013c0ca2b6

SHA256
f0ece4c84bb7963348e0757b02aed1341f9821465d30bec0276f131442e2f485

SHA512
880d831fdb10f2e8eaa3e7e181b0a43451bc9fe5228a1439f214559a736dcf95069e0ade6fa2ebaa5464cd69734a8c57cff7b26953cccfdef6d46fd6b06fc577

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
242KB

MD5
04cec21d4118cc2a6fd719c130b179b1

SHA1
3d064595001497735d2570245c4aee4a3a63db6e

SHA256
94f58ca4d5875053f671b874b4ebc5f081919839a9803929e403c109f58d71fd

SHA512
8d4733c6ab899f27821c8b7702bfc233eaaf95d37ffffb13b982bcb741f249305b15b90de9a037c3e10d4ade81d43b2c8b5a00280e041758fce39bc38958d450

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
242KB

MD5
6b959d2e7d035c8dac340e78b31c2356

SHA1
e122aab6d8e78c460efe962628f64ab6bd2fe915

SHA256
f694cabc6bebe6166930608f5f2104a4de9e52a21abac0abf7545f515ec7902e

SHA512
5ff2356344826d229d4c20852f5809d02d8af3854009b14dbdf0de5daa17f33800367f7cc1c3d35a064a067217ecdac149771577afb301e713a6a3ffafc90d9d

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
242KB

MD5
07c79345f2e97dfe76dfff02aa88da6c

SHA1
e9a5056760a03a8bdcdb8c69add2ad1bad15c210

SHA256
89a4ead7c95056f1d3f5e65723d6d30eb74db229be1e58cf2b8dbfddcd28bb68

SHA512
ede11d1702a8a5c4e10c5286cb241921522c5346e481c2e81d1f9632911145ec7ee6f4357b0b1381b8329d1d1ac83c68d70a8d9a8c1e0fa3d1f5f0f71734f280

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
242KB

MD5
6af3af33a8f928123c2819349f2eef95

SHA1
9454aa67a72b5bd603dd57d46b8cb2f88279601e

SHA256
4dcfef1356df273117d20436724925cc1a0606fc5bd4fd488c27b50a5afe2148

SHA512
f08340b80c527409c8be9d29221134f3a7b5ad68f994616e5877fa4fa2871cc005ebf59161cc99dee4079de3772f382a0e8f585ad2afa777b5809f9592e8b33b

Download Submit
memory/432-249-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/512-297-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/528-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/528-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/528-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/752-304-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/808-374-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/992-90-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1264-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1316-201-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1356-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1408-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1548-461-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-339-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1632-281-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1876-217-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1928-368-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2124-273-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2216-386-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2228-324-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2260-393-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2300-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2404-287-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2436-105-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2528-328-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2744-138-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2784-347-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2836-256-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2904-184-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2936-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2976-98-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3020-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3036-434-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3084-208-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3100-456-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3116-198-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3168-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3176-240-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3244-146-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3340-176-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3376-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3436-449-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3476-357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3596-410-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3612-316-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3708-209-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3864-166-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3880-130-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3900-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3992-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4004-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4064-231-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4220-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4236-380-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4432-121-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4476-241-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4516-82-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4680-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4692-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4776-275-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4860-416-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5020-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5044-114-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads